US11616805B2ActiveUtilityA1

Malware protection for virtual machines

75
Assignee: RUBRIK INCPriority: Jan 28, 2020Filed: Jan 28, 2020Granted: Mar 28, 2023
Est. expiryJan 28, 2040(~13.5 yrs left)· nominal 20-yr term from priority
G06F 9/45558H04L 63/145G06F 2009/45587H04L 63/1416G06F 2009/45595G06F 2009/45579
75
PatentIndex Score
1
Cited by
22
References
20
Claims

Abstract

A computer-implemented method at a data management system comprises receiving, at the system, a write made to a virtual machine from a virtual machine host; computing, at the system, a fingerprint of the transmitted write; comparing, at the system, the computed fingerprint to malware fingerprints in a malware catalog; repeating the computing and comparing; and disabling the virtual machine if a number of matches from the comparing breaches a predetermined threshold over a predetermined amount of time.

Claims

exact text as granted — not AI-modified
The invention claimed is: 
     
       1. A data management system, comprising:
 a storage appliance configured to receive writes made to a virtual machine; and 
 one or more processors in communication with the storage appliance, the one or more processors configured to cause the storage appliance to perform operations including:
 receiving a write made to the virtual machine from a virtual machine host; 
 computing a fingerprint of the write; 
 incrementing a counter based at least in part on identifying a match between the fingerprint and a malware fingerprint of a plurality of malware fingerprints in a malware catalog; and 
 disabling the virtual machine based at least in part on a value of the counter breaching a threshold within a threshold duration of time. 
 
 
     
     
       2. The system of  claim 1 , wherein the operations further include restoring the virtual machine, using a snapshot stored in the storage appliance, to a state before the threshold was breached. 
     
     
       3. The system of  claim 1 , wherein the operations further include blocking writes from a source of the match. 
     
     
       4. The system of  claim 1 , wherein the operations further include generating the malware catalog, and wherein generating the malware catalog comprises generating fingerprints of binaries and compressed binaries of known malware. 
     
     
       5. The system of  claim 4 , wherein the computing comprises computing fingerprints at 4 kilobytes aligned offsets. 
     
     
       6. The system of  claim 1 , wherein the operations further include repeatedly generating snapshots of the virtual machine over time. 
     
     
       7. A computer-implemented method at a data management system, the method comprising:
 receiving, at the system, a write made to a virtual machine from a virtual machine host; 
 computing, at the system, a fingerprint of the write; 
 incrementing, at the system, a counter based at least in part on identifying a match between the fingerprint and a malware fingerprint of a plurality of malware fingerprints in a malware catalog; and
 disabling the virtual machine based at least in part on a value of the counter breaching a threshold within a threshold duration of time. 
 
 
     
     
       8. The method of  claim 7 , further comprising restoring the virtual machine, using a snapshot stored in a storage appliance, to a state before the threshold was breached. 
     
     
       9. The method of  claim 7 , further comprising blocking writes from a source of the match. 
     
     
       10. The method of  claim 7 , further comprising generating the malware catalog, wherein generating the malware catalog comprises generating fingerprints of binaries and compressed binaries of known malware. 
     
     
       11. The method of  claim 10 , wherein the computing comprises computing fingerprints at 4 kilobytes aligned offsets. 
     
     
       12. The method of  claim 7 , further comprising repeatedly generating snapshots of the virtual machine over time. 
     
     
       13. A non-transitory, machine-readable medium storing instructions which, when read by a machine, cause the machine to perform operations comprising, at least:
 receiving, at the machine, a write made to a virtual machine from a virtual machine host; 
 computing, at the machine, a fingerprint of the write; 
 incrementing, at the machine, a counter based at least in part on identifying a match between the fingerprint and a malware fingerprint of a plurality of malware fingerprints in a malware catalog; and 
 disabling the virtual machine based at least in part on a value of the counter breaching a threshold within a threshold duration of time. 
 
     
     
       14. The machine-readable medium of  claim 13 , wherein the operations further include restoring the virtual machine, using a snapshot stored in a storage appliance, to a state before the threshold was breached. 
     
     
       15. The machine-readable medium of  claim 13 , wherein the operations further include blocking writes from a source of the match. 
     
     
       16. The machine-readable medium of  claim 13 , wherein the operations further include generating the malware catalog, and wherein generating the malware catalog comprises generating fingerprints of binaries and compressed binaries of known malware. 
     
     
       17. The machine-readable medium of  claim 16 , wherein the computing comprises computing fingerprints at 4 kilobytes aligned offsets. 
     
     
       18. The machine-readable medium of  claim 13 , wherein the operations further include repeatedly generating snapshots of the virtual machine over time. 
     
     
       19. The system of  claim 1 , wherein the operations further include comparing, based at least in part on incrementing the counter, the value of the counter to the threshold to determine that the value of the counter breached the threshold. 
     
     
       20. The system of  claim 1 , wherein the threshold corresponds to a percentage of a quantity of writes made to the virtual machine within the threshold duration of time.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.